Blog - IPFire 2.25 - Core Update 142 released

It´s very strange.

I´ve downgrade to 141 and upgrade to 142 and after this, reboot router and now, ist “working”.

I don’t know boy, with the 141 I didn’t have so many problems. I will keep looking to see.

Do you know of any manual on how to identify the problem? It would be a great help.

Greetings and thanks.

Now ist “Broken”.
24/03 - 10:28 --> “Working”
24/03 - 11:01 --> “Broken”

Mine is ok from sunday, but can’t log in in ipfirepeople always give me dns error. I’m writing from cell phone now.

Could it be an ISP related issue?

This is unbound log from yesterday

22:27:34 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
12:01:59 unbound: [1889:0] info: 32.000000 64.000000 16
12:01:59 unbound: [1889:0] info: 16.000000 32.000000 27
12:01:59 unbound: [1889:0] info: 8.000000 16.000000 16
12:01:59 unbound: [1889:0] info: 4.000000 8.000000 11
12:01:59 unbound: [1889:0] info: 2.000000 4.000000 11
12:01:59 unbound: [1889:0] info: 1.000000 2.000000 25
12:01:59 unbound: [1889:0] info: 0.524288 1.000000 73
12:01:59 unbound: [1889:0] info: 0.262144 0.524288 180
12:01:59 unbound: [1889:0] info: 0.131072 0.262144 235
12:01:59 unbound: [1889:0] info: 0.065536 0.131072 181
12:01:59 unbound: [1889:0] info: 0.032768 0.065536 115
12:01:59 unbound: [1889:0] info: 0.002048 0.004096 1
12:01:59 unbound: [1889:0] info: 0.000000 0.000001 457
12:01:59 unbound: [1889:0] info: lower(secs) upper(secs) recursions
12:01:59 unbound: [1889:0] info: [25%]=7.37418e-07 median[50%]=0.102106 [75%]=0.294184
12:01:59 unbound: [1889:0] info: histogram of recursion processing times
12:01:59 unbound: [1889:0] info: average recursion processing time 1.321685 sec
12:01:59 unbound: [1889:0] info: server stats for thread 0: requestlist max 4 avg 0.16507 exceeded 0 jostl ed 0
12:01:59 unbound: [1889:0] info: server stats for thread 0: 3436 queries, 2088 answers from cache, 1348 re cursions, 9 prefetch, 0 rejected by ip ratelimiting
11:06:49 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
10:09:54 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
08:54:19 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
08:36:27 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
07:41:31 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
06:47:05 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
05:48:53 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
04:29:24 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
03:32:00 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
02:14:22 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
01:14:34 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
00:08:19 unbound: [1889:0] info: generate keytag query _ta-4a5c-4f66. NULL IN

This is terrible!!!.

Now I remember that I have a raspberry pi3 hanging from the same router and this raspberry works without problems:

|11:26:48|unbound: [2016:0]|info: 2.000000 4.000000 1|
|---|---|---|
|11:26:48|unbound: [2016:0]|info: 1.000000 2.000000 5|
|11:26:48|unbound: [2016:0]|info: 0.524288 1.000000 5|
|11:26:48|unbound: [2016:0]|info: 0.262144 0.524288 25|
|11:26:48|unbound: [2016:0]|info: 0.131072 0.262144 63|
|11:26:48|unbound: [2016:0]|info: 0.065536 0.131072 118|
|11:26:48|unbound: [2016:0]|info: 0.032768 0.065536 59|
|11:26:48|unbound: [2016:0]|info: 0.016384 0.032768 5|
|11:26:48|unbound: [2016:0]|info: 0.008192 0.016384 3|
|11:26:48|unbound: [2016:0]|info: 0.004096 0.008192 2|
|11:26:48|unbound: [2016:0]|info: 0.002048 0.004096 2|
|11:26:48|unbound: [2016:0]|info: lower(secs) upper(secs) recursions|
|11:26:48|unbound: [2016:0]|info: [25%]=0.0660914 median[50%]=0.106079 [75%]=0.187246|
|11:26:48|unbound: [2016:0]|info: histogram of recursion processing times|
|11:26:48|unbound: [2016:0]|info: average recursion processing time 0.160594 sec|
|11:26:48|unbound: [2016:0]|info: server stats for thread 0: requestlist max 1 avg 0.0138889 exceeded 0 jos tled 0|
|11:26:48|unbound: [2016:0]|info: server stats for thread 0: 479 queries, 191 answers from cache, 288 recur sions, 0 prefetch, 0 rejected by ip ratelimiting|
|09:53:52|unbound: [2016:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|

But with the team that did tests with the BETA, problems on all sides.

|11:51:33|unbound: [5609:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|---|---|---|
|11:51:03|unbound: [5609:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|11:50:33|unbound: [5609:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|11:48:34|unbound: [5609:0]|info: validation failure <migfkra.northsecure.es. A IN>: No DNSKEY record for k ey es. while building chain of trust|
|11:48:34|unbound: [5609:0]|info: validation failure <sjjmwklfzcosznt.northsecure.es. A IN>: No DNSKEY reco rd for key es. while building chain of trust|
|11:48:34|unbound: [5609:0]|info: validation failure <mtgazfv.northsecure.es. A IN>: No DNSKEY record for k ey es. while building chain of trust|
|11:48:34|unbound: [5609:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|11:48:17|unbound: [5609:0]|info: validation failure <ocsp.pki.goog. A IN>: no signatures from 8.8.8.8 and 8.8.8.8|
|11:48:04|unbound: [5609:0]|info: validation failure <northsecure.dedyn.io.northsecure.es. AAAA IN>: No DNS KEY record for key es. while building chain of trust|
|11:48:04|unbound: [5609:0]|info: validation failure <Home.northsecure.es. A IN>: No DNSKEY record for key es. while building chain of trust|
|11:48:04|unbound: [5609:0]|info: validation failure <Home.northsecure.es. AAAA IN>: No DNSKEY record for k ey es. while building chain of trust|
|11:48:04|unbound: [5609:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|11:47:34|unbound: [5609:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|11:47:04|unbound: [5609:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|11:46:34|unbound: [5609:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|11:46:28|unbound: [5609:0]|info: validation failure <ping.ipfire.org. A IN>: No DNSKEY record for key org. while building chain of trust|
|11:46:28|unbound: [5609:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|11:46:03|unbound: [5609:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|11:45:58|unbound: [5609:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|11:45:33|unbound: [5609:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|11:45:28|unbound: [5609:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|11:44:57|unbound: [5609:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|11:44:27|unbound: [5609:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|11:43:57|unbound: [5609:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|11:43:05|unbound: [5609:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|
|11:42:53|unbound: [5609:0]|info: start of service (unbound 1.9.6).|
|11:42:52|unbound: [5609:0]|notice: init module 1: iterator|
|11:42:52|unbound: [5609:0]|notice: init module 0: validator|
|11:42:50|unbound: [1931:0]|info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0|
|11:42:50|unbound: [1931:0]|info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting|
|11:42:50|unbound: [1931:0]|info: service stopped (unbound 1.9.6).|
|11:42:48|unbound: [1931:0]|info: start of service (unbound 1.9.6).|
|11:42:48|unbound: [1931:0]|notice: init module 1: iterator|
|11:42:48|unbound: [1931:0]|notice: init module 0: validator|

And the bad thing is that there is no apparent solution since it is not a Movistar (ISP) problem.

I’ve even tried downgrade to 139 and force upgrade to 142 with no results.

Sorry to be so heavy but I see no solution but to do a clean install and start over and afraid to update more IPFire.

I can’t access : https://blog.ipfire.org and https://people.ipfire.org/ - always dns error
but i can access to https://community.ipfire.org/

but now i’ve tried to access them through a brave browser tor inprivate session and i can acces all of them without problem…

veeery strange behaviour

It happens to me too.

I’m from Italy.
Via cell phone (Vodafone) all good. Strange thing also is that when i try access them through another ISP (via OpenVPN) happens the same thing. No access to people.ipfire.org and blog.ipfire.org. so it’s not ISP related i guess

A question @anon46344254

Did you upgrade from 141 to 142? Or did you try the testing version?.

@roberto

I upgraded from 141 to 142, never used testing version.

there’s clearly something wrong with dns system.

Unbound cannot get the rootzone. This looks like something blocks unbound. For me this looks like a firewall rule that blocks port 53 or suricata that drops because the flooding protection triggers too early.

@arne_f
well, we have dns system that works on and off, we don’t know why
are there some logs that can help you understand?

Hi Arne. Thanks for reply.

My iptables rules are these:

[root@bs ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
BADTCP     tcp  --  anywhere             anywhere
CUSTOMINPUT  all  --  anywhere             anywhere
P2PBLOCK   all  --  anywhere             anywhere
GUARDIAN   all  --  anywhere             anywhere
IPS_INPUT  all  --  anywhere             anywhere
OVPNBLOCK  all  --  anywhere             anywhere
IPTVINPUT  all  --  anywhere             anywhere
ICMPINPUT  all  --  anywhere             anywhere
LOOPBACK   all  --  anywhere             anywhere
CAPTIVE_PORTAL  all  --  anywhere             anywhere
CONNTRACK  all  --  anywhere             anywhere
DHCPGREENINPUT  all  --  anywhere             anywhere
DHCPBLUEINPUT  all  --  anywhere             anywhere
GEOIPBLOCK  all  --  anywhere             anywhere
IPSECINPUT  all  --  anywhere             anywhere
GUIINPUT   all  --  anywhere             anywhere
WIRELESSINPUT  all  --  anywhere             anywhere             ctstate NEW
OVPNINPUT  all  --  anywhere             anywhere
TOR_INPUT  all  --  anywhere             anywhere
INPUTFW    all  --  anywhere             anywhere
REDINPUT   all  --  anywhere             anywhere
POLICYIN   all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
BADTCP     tcp  --  anywhere             anywhere
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
CUSTOMFORWARD  all  --  anywhere             anywhere
P2PBLOCK   all  --  anywhere             anywhere
GUARDIAN   all  --  anywhere             anywhere
IPS_FORWARD  all  --  anywhere             anywhere
IPSECBLOCK  all  --  anywhere             anywhere             policy match dir out pol none
OVPNBLOCK  all  --  anywhere             anywhere
OVPNBLOCK  all  --  anywhere             anywhere
IPTVFORWARD  all  --  anywhere             anywhere
LOOPBACK   all  --  anywhere             anywhere
CAPTIVE_PORTAL  all  --  anywhere             anywhere
CONNTRACK  all  --  anywhere             anywhere
GEOIPBLOCK  all  --  anywhere             anywhere
IPSECFORWARD  all  --  anywhere             anywhere
WIRELESSFORWARD  all  --  anywhere             anywhere             ctstate NEW
FORWARDFW  all  --  anywhere             anywhere
UPNPFW     all  --  anywhere             anywhere             ctstate NEW
REDFORWARD  all  --  anywhere             anywhere
POLICYFWD  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
CUSTOMOUTPUT  all  --  anywhere             anywhere
P2PBLOCK   all  --  anywhere             anywhere
IPS_OUTPUT  all  --  anywhere             anywhere
IPSECBLOCK  all  --  anywhere             anywhere             policy match dir out pol none
LOOPBACK   all  --  anywhere             anywhere
CONNTRACK  all  --  anywhere             anywhere
DHCPGREENOUTPUT  all  --  anywhere             anywhere
DHCPBLUEOUTPUT  all  --  anywhere             anywhere
IPSECOUTPUT  all  --  anywhere             anywhere
TOR_OUTPUT  all  --  anywhere             anywhere
OUTGOINGFW  all  --  anywhere             anywhere
POLICYOUT  all  --  anywhere             anywhere

Chain BADTCP (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
PSCAN      tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PSCAN      tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
PSCAN      tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
PSCAN      tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
PSCAN      tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN,RST
PSCAN      tcp  --  anywhere             anywhere             tcp flags:FIN,SYN/FIN,SYN
PSCAN      tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
NEWNOTSYN  tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN ctstate NEW

Chain CAPTIVE_PORTAL (2 references)
target     prot opt source               destination

Chain CAPTIVE_PORTAL_CLIENTS (0 references)
target     prot opt source               destination
RETURN     udp  --  anywhere             anywhere             udp dpt:domain limit: up to 3kb/s burst 1mb mode srcip
RETURN     tcp  --  anywhere             anywhere             tcp dpt:domain limit: up to 3kb/s burst 1mb mode srcip
DROP       all  --  anywhere             anywhere

Chain CONNTRACK (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED helper match "sip"
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED helper match "h323"
ACCEPT     tcp  --  anywhere             anywhere             ctstate RELATED helper match "ftp" tcp dpts:1024:65535
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED helper match "tftp"
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED helper match "irc"

Chain CUSTOMFORWARD (1 references)
target     prot opt source               destination

Chain CUSTOMINPUT (1 references)
target     prot opt source               destination
DROP       igmp --  anywhere             all-systems.mcast.net

Chain CUSTOMOUTPUT (1 references)
target     prot opt source               destination

Chain DHCPBLUEINPUT (1 references)
target     prot opt source               destination
DHCPINPUT  all  --  anywhere             anywhere

Chain DHCPBLUEOUTPUT (1 references)
target     prot opt source               destination
DHCPOUTPUT  all  --  anywhere             anywhere

Chain DHCPGREENINPUT (1 references)
target     prot opt source               destination
DHCPINPUT  all  --  anywhere             anywhere

Chain DHCPGREENOUTPUT (1 references)
target     prot opt source               destination
DHCPOUTPUT  all  --  anywhere             anywhere

Chain DHCPINPUT (2 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:bootpc dpt:bootps

Chain DHCPOUTPUT (2 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:bootps dpt:bootpc

Chain FORWARDFW (1 references)
target     prot opt source               destination

Chain GEOIPBLOCK (2 references)
target     prot opt source               destination

Chain GUARDIAN (2 references)
target     prot opt source               destination

Chain GUIINPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:snpp

Chain ICMPINPUT (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request

Chain INPUTFW (1 references)
target     prot opt source               destination

Chain IPSECBLOCK (2 references)
target     prot opt source               destination

Chain IPSECFORWARD (1 references)
target     prot opt source               destination

Chain IPSECINPUT (1 references)
target     prot opt source               destination

Chain IPSECOUTPUT (1 references)
target     prot opt source               destination

Chain IPS_FORWARD (1 references)
target     prot opt source               destination

Chain IPS_INPUT (1 references)
target     prot opt source               destination

Chain IPS_OUTPUT (1 references)
target     prot opt source               destination

Chain IPTVFORWARD (1 references)
target     prot opt source               destination

Chain IPTVINPUT (1 references)
target     prot opt source               destination

Chain LOG_DROP (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 10/sec burst 5 LOG level warning
DROP       all  --  anywhere             anywhere

Chain LOG_REJECT (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 10/sec burst 5 LOG level warning
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LOOPBACK (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  127.0.0.0/8          anywhere
DROP       all  --  anywhere             127.0.0.0/8

Chain NEWNOTSYN (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 10/sec burst 5 LOG level warning prefix "DROP_NEWNOTSYN "
DROP       all  --  anywhere             anywhere             /* DROP_NEWNOTSYN */

Chain OUTGOINGFW (1 references)
target     prot opt source               destination

Chain OVPNBLOCK (3 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             ctstate RELATED

Chain OVPNINPUT (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain P2PBLOCK (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             -m ipp2p  --edk  --dc  --gnu  --kazaa  --bit  --apple  --soul  --winmx  --ares

Chain POLICYFWD (1 references)
target     prot opt source               destination
ACCEPT     all  --  10.254.0.0/24        anywhere
ACCEPT     all  --  anywhere             anywhere             policy match dir in pol ipsec
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  10.254.10.0/24       anywhere
LOG        all  --  anywhere             anywhere             limit: avg 10/sec burst 5 LOG level warning prefix "DROP_FORWARD "
DROP       all  --  anywhere             anywhere             /* DROP_FORWARD */

Chain POLICYIN (1 references)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere             udp dpt:syslog
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             policy match dir in pol ipsec
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             limit: avg 10/sec burst 5 LOG level warning prefix "DROP_INPUT "
DROP       all  --  anywhere             anywhere             /* DROP_INPUT */

Chain POLICYOUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             /* DROP_OUTPUT */

Chain PSCAN (7 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere             limit: avg 10/sec burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan "
LOG        udp  --  anywhere             anywhere             limit: avg 10/sec burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan "
LOG        icmp --  anywhere             anywhere             limit: avg 10/sec burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan "
LOG        all  -f  anywhere             anywhere             limit: avg 10/sec burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan "
DROP       all  --  anywhere             anywhere             /* DROP_PScan */

Chain REDFORWARD (1 references)
target     prot opt source               destination

Chain REDINPUT (1 references)
target     prot opt source               destination

Chain TOR_INPUT (1 references)
target     prot opt source               destination

Chain TOR_OUTPUT (1 references)
target     prot opt source               destination

Chain UPNPFW (1 references)
target     prot opt source               destination

Chain WIRELESSFORWARD (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             MAC 08:C5:E1:3C:99:FA
RETURN     all  --  anywhere             anywhere             MAC 14:8F:C6:4F:FB:41
RETURN     all  --  anywhere             anywhere             MAC 00:1A:13:6F:0E:CC
RETURN     all  --  anywhere             anywhere             MAC DC:53:60:C2:94:A8
RETURN     all  --  anywhere             anywhere             MAC 2C:D0:5A:09:53:CA
LOG        all  --  anywhere             anywhere             LOG level warning prefix "DROP_Wirelessforward"
DROP       all  --  anywhere             anywhere             /* DROP_Wirelessforward */

Chain WIRELESSINPUT (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             MAC 08:C5:E1:3C:99:FA
RETURN     all  --  anywhere             anywhere             MAC 14:8F:C6:4F:FB:41
RETURN     all  --  anywhere             anywhere             MAC 00:1A:13:6F:0E:CC
RETURN     all  --  anywhere             anywhere             MAC DC:53:60:C2:94:A8
RETURN     all  --  anywhere             anywhere             MAC 2C:D0:5A:09:53:CA
LOG        all  --  anywhere             anywhere             LOG level warning prefix "DROP_Wirelessinput"
DROP       all  --  anywhere             anywhere             /* DROP_Wirelessinput */
[root@bs ~]#

There is none to block DNS.

And suricata rules are these:

Thanks.

Try to disable suricata and restart unbound after this.

If this works now reconfigure the suricata dns floodprotection. (search in /etc/suricata/suricata.yaml)
I had one system with similar problems. (slow 4Mbit on red and gigabit on green, here the default queue is too small for the low upstream bandwich and suricata blocks unbound)
The suricata floodprotection is always on independend from any rule selection.

Yes. I have done a clean install and now when I activate Suricata and save “Domain name system” it says “Broken”. If I deactivate Suricata and keep “Domain Name system” it says “Working”.

In the old installation it did not work or doing that, maybe so much touching…

What value do I put in the “floodprotection” ?.

Grettings

Im not sure. I have doubled all values in the dns section.

No luck. :cry:

Even quadrupling the parameters still does not work.

 dns:
      # memcaps. Globally and per flow/state.
      # global-memcap: 32mb
      global-memcap: 64mb
      # state-memcap: 512kb
      state-memcap: 2048kb

      # How many unreplied DNS requests are considered a flood.
      # If the limit is reached, app-layer-event:dns.flooded; will match.
      # request-flood: 512
      request-flood: 2048

      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53

You have many rules enabled in IPS, when the general advice with Suricata was to have only a limited number of rules. Have you tried deselecting less important rules ?